CVE-2016-2173
published 2017-04-21CVE-2016-2173: org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.26%
92.7th percentile
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| vmware | spring_advanced_message_queuing_protocol | < 1.5.5 | 1.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable class is org.springframework.core.serializer.DefaultDeserializer — monitor for deserialization of untrusted data through this class in Spring AMQP versions before 1.5.5 ↗
- →Exploitation leverages Java deserialization gadget chains (e.g., Commons Collections gadget by Chris Frohoff) delivered as crafted serialized objects over AMQP — detect Java serialization magic bytes (0xACED0005) in AMQP message payloads ↗
- ·Vulnerability exists in Spring AMQP before version 1.5.5; the fix was applied upstream in the referenced commit — ensure affected deployments are patched to 1.5.5 or later ↗
- ·Upstream fix is available at the referenced GitHub commit; Fedora packages were patched as springframework-amqp-1.3.9-4 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Input Validation in Spring AMQP
ghsa·2022-05-13
CVE-2016-2173 [CRITICAL] CWE-20 Improper Input Validation in Spring AMQP
Improper Input Validation in Spring AMQP
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.
OSV
Improper Input Validation in Spring AMQP
osv·2022-05-13
CVE-2016-2173 [CRITICAL] Improper Input Validation in Spring AMQP
Improper Input Validation in Spring AMQP
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2173 springframework-amqp: remote code execution [fedora-all]
bugzilla·2016-04-12·CVSS 9.8
CVE-2016-2173 [CRITICAL] CVE-2016-2173 springframework-amqp: remote code execution [fedora-all]
CVE-2016-2173 springframework-amqp: remote code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
Bugzilla
CVE-2016-2173 springframework-amqp: remote code execution
bugzilla·2016-04-12·CVSS 9.8
CVE-2016-2173 [CRITICAL] CVE-2016-2173 springframework-amqp: remote code execution
CVE-2016-2173 springframework-amqp: remote code execution
A remote code execution vulnerability was found in Spring AMQP. The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.
External references:
https://jira.spring.io/browse/AMQP-590
http://pivotal.io/security/cve-2016-2173
Upstream fix:
https://github.com/spring-projects/spring-amqp/commit/4150f107e60cac4a7735fcf7cb4c1889a0cbab6c
Discussion:
Created springframework-amqp tracking bugs for this issue:
Affects: fedora-all [bug 1326206]
---
springframework-amqp-1.3.9-4.fc24 has been pushed to the Fedora 24 stable repository. If pro
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182551.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/182850.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/182959.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1326205https://pivotal.io/security/cve-2016-2173http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182551.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/182850.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/182959.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1326205https://pivotal.io/security/cve-2016-2173
2017-04-21
Published